BGP FlowSpec Route Validation
This chapter provides information about BGP FlowSpec Route Validation.
Topics in this chapter include:
Applicability
The information and configuration in this chapter are based on SR OS Release 15.0.R7. This chapter describes the BGP FlowSpec route validation as implemented in SR OS Release 15.0.R1, and later.
Overview
BGP FlowSpec refers to the use of BGP to distribute traffic flow specifications for IPv4 or IPv6 routes throughout a network. Flow specifications provide a means to quickly mitigate Distributed Denial of Service (DDoS) attacks. The BGP FlowSpec standard RFC 5575 defines a method to define and advertise flow filters to upstream BGP peers via BGP Network Layer Reachability Information (NLRI). See the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide for the complete list of matching criteria (subcomponent names), such as destination prefix, source prefix, IP protocol, destination port, source port, and so on. The 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide also lists the FlowSpec actions, such as redirect, rate limit, and so on.
BGP flow specifications might be manipulated and sent with malicious intentions. By default, all flow specifications received from iBGP or eBGP peers are accepted with optional validation. In SR OS Releases prior to 15.0.R1, the validity was checked only at the time when a FlowSpec route was received from the peer. In SR OS Release 15.0.R1, and later, the FlowSpec routes that are in the routing information base (RIB) can become invalid at a later time, depending on the state of the unicast routes. Draft-ietf-idr-bgp-FlowSpec-oid-03 describes validation procedures for BGP FlowSpec routes in specific route controller, route reflector, and route server scenarios. These recommendations, in combination with the original validation rules mentioned in RFC 5575, are all supported in SR OS Release 15.0.R1, and later. The BGP FlowSpec route validation rules are as follows.
Rule 1: Flowspec routes originated in the same Autonomous System (AS) as the receiving BGP speaker are always considered valid. This is the case when either of the following applies:
The AS_PATH and AS4_PATH attributes of the BGP FlowSpec route are empty.
The AS_PATH and AS4_PATH attributes of the BGP FlowSpec route do not contain AS_SET and AS_SEQUENCE segments.
Rule 2: If Rule 1 does not apply, FlowSpec routes originated outside the local AS without a destination prefix subcomponent are always considered valid.
Rule 3: If Rule 1 does not apply, FlowSpec routes originated outside the local AS with a destination prefix subcomponent are only considered valid if all the following is true:
The neighbor AS (the last non-confederation AS in its AS_PATH attribute) of the BGP Flowspec route matches the neighbor AS of the unicast IP route that is the best match of the destination prefix.
The neighbor AS of the BGP FlowSpec route matches the neighbor AS of all unicast IP routes that are longer matches of the destination prefix.
The best match unicast IP route and all longer match unicast IP routes must be BGP routes, so no static or IGP routes.
BGP FlowSpec route validation in the base router is enabled with the following command.
configure router bgp flowspec validate-dest-prefix
BGP FlowSpec route validation in a VPRN is enabled as follows.
configure service vprn <service-id> bgp flowspec validate-dest-prefix
When validate-dest-prefix is enabled, the validation checks must be repeated every time there is a change to the best route or any longer match route of the destination prefix.
Configuration
In this section, BGP FlowSpec route validation for IPv4 routes in the base router is shown. The action will set the rate to zero, so the matching traffic is dropped. The following use cases will be shown:
iBGP FlowSpec routes are valid when the AS_PATH attribute is empty. (Rule 1)
eBGP FlowSpec routes are valid if the best match for the destination prefix is a BGP route toward the neighbor AS from which the BGP FlowSpec route was received (and all longer match unicast IP routes are also toward that AS). (Rule 3)
eBGP FlowSpec routes are invalid if the best match for the destination prefix is not toward the AS from which the BGP FlowSpec route was received or when the route to the destination prefix is a static or an IGP route instead of a BGP route. (Rule 3)
eBGP FlowSpec routes without destination prefix subcomponent are valid. (Rule 2)
Example Topology with FlowSpec Route Server in AS 64496 shows the example topology with a FlowSpec route server in AS 64496 that will advertise iBGP FlowSpec routes to PE-1. Afterward, PE-1 will forward the valid FlowSpec routes to its BGP peers, and so on. Test center T1 in AS 64501 will generate traffic toward test center T2 in AS 64496. This traffic may be filtered by PE-5 when it receives a valid FlowSpec route with the correct matching criteria.
The initial configuration in the PEs is as follows.
Cards, MDAs, ports
Router interfaces
IGP routing protocol within each AS, but not between the autonomous system border routers (ASBRs) PE-3 and PE-4. It is possible to have OSPF in one AS and IS-IS in the other.
PE-1 is the route reflector (RR) in AS 64496 with clients PE-2 and PE-3. BGP is enabled for the IPv4 and flow-IPv4 address families between the PEs and between PE-1 and the FlowSpec route server. Initially, the FlowSpec route server is in AS 64496, but that will change in a later scenario. The BGP configuration on RR PE-1 is as follows.
configure
router
bgp
split-horizon
group "FlowSpec"
family ipv4 flow-ipv4
peer-as 64496
neighbor 192.168.11.2
exit
exit
group "iBGP"
family ipv4 flow-ipv4
cluster 192.0.2.1
peer-as 64496
advertise-inactive
neighbor 192.0.2.2
exit
neighbor 192.0.2.3
exit
exit
exit
The BGP configuration on PE-2 includes export policies for the system address 192.0.2.2/32 and the subnet toward the test center T2, 172.16.122.0/30, as follows. The configuration on PE-5 is similar, with export policies for the system address and for subnet 172.16.115.0/30.
configure
router
policy-options
begin
prefix-list "T2"
prefix 172.16.122.0/28 longer
exit
prefix-list "sys"
prefix 192.0.2.0/29 longer
exit
policy-statement "export-T2"
entry 10
from
protocol direct
prefix-list "T2"
exit
action accept
exit
exit
exit
policy-statement "export-sys"
entry 10
from
protocol direct
prefix-list "sys"
exit
action accept
exit
exit
exit
commit
exit
bgp
split-horizon
group "iBGP"
family ipv4 flow-ipv4
export "export-sys" "export-T2"
peer-as 64496
neighbor 192.0.2.1
exit
exit
On ASBR PE-3, the BGP configuration includes an iBGP group and an eBGP group. The BGP IPv4 routes for prefixes 192.0.2.2/32 and 172.16.122.0/30 are inactive within AS 64496, and the ASBR will advertise these inactive routes to its eBGP peer PE-4. The BGP configuration on PE-3 is as follows. The configuration is similar on PE-4.
configure
router
bgp
split-horizon
group "eBGP"
family ipv4 flow-ipv4
peer-as 64501
neighbor 192.168.34.2
advertise-inactive
exit
exit
group "iBGP"
family ipv4 flow-ipv4
next-hop-self
peer-as 64496
neighbor 192.0.2.1
advertise-inactive
exit
exit
exit
PE-2 and PE-5 both advertise two BGP IPv4 routes: one for the system address and another for the subnet toward the test center. These BGP routes will not be used within the local AS, but they will be advertised by the ASBRs to the peer AS, where these BGP routes will be used. The BGP IPv4 routes on ASBR PE-4 are as follows.
*A:PE-4# show router bgp routes
===============================================================================
BGP Router ID:192.0.2.4 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id Label
As-Path
-------------------------------------------------------------------------------
*i 172.16.115.0/30 100 None
192.0.2.5 None -
No As-Path
u*>i 172.16.122.0/30 None None
192.168.34.1 None -
64496
u*>i 192.0.2.2/32 None None
192.168.34.1 None -
64496
*i 192.0.2.5/32 100 None
192.0.2.5 None -
No As-Path
-------------------------------------------------------------------------------
Routes : 4
The BGP IPv4 routes on PE-5 are as follows.
*A:PE-5# show router bgp routes
===============================================================================
BGP Router ID:192.0.2.5 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id Label
As-Path
-------------------------------------------------------------------------------
u*>i 172.16.122.0/30 100 None
192.0.2.4 None -
64496
u*>i 192.0.2.2/32 100 None
192.0.2.4 None -
64496
-------------------------------------------------------------------------------
Routes : 2
No flow specifications have been received and no traffic will be filtered. When traffic is generated by T1 with IP destination address (DA) 172.16.122.2 and IP source address (SA) 172.16.115.2, it is forwarded to T2.
Default Treatment of FlowSpec Routes
The FlowSpec route server announces a FlowSpec IPv4 route to PE-1 with destination prefix 172.16.122.2/30, source prefix 172.16.115.2/30, destination port 4191, source port greater than 1024 as matching criteria, and rate limit 0 kbps (drop) as action. By default, there is no validation check for FlowSpec routes. All FlowSpec routes are considered valid and used, even if no BGP route exists to the destination prefix. All FlowSpec routes are advertised to all PEs, within the AS and to neighbor ASs. On all PEs, the FlowSpec route status codes are valid, best, and used. For example, on PE5:
*A:PE-5# show router bgp routes flow-ipv4
===============================================================================
BGP Router ID:192.0.2.5 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP FLOW IPV4 Routes
===============================================================================
Flag Network Nexthop LocalPref MED
As-Path
-------------------------------------------------------------------------------
u*>i -- 0.0.0.0 100 None
64496
Community Action: rate-limit: 0 kbps
NLRI Subcomponents:
Dest Pref : 172.16.122.2/30
Src Pref : 172.16.115.2/30
Ip Proto : [ == 6 ]
Dest Port : [ == 4191 ]
Src Port : [ >1024 ]
-------------------------------------------------------------------------------
Routes : 1
On all PEs, an embedded IPv4 filter "fSpec-0" will be auto-created for the base router, as follows.
*A:PE-5# show filter ip filter-type flowspec
===============================================================================
Flowspec IP Filters Total: 1
===============================================================================
Filter-Id Scope Applied Description
-------------------------------------------------------------------------------
fSpec-0 Embedded N/A IPv4 BGP FlowSpec filter for the Base router
===============================================================================
*A:PE-5#
The details for this embedded filter are retrieved as follows.
*A:PE-5# show filter ip "fSpec-0"
===============================================================================
IP Filter
===============================================================================
Filter Id : fSpec-0
Scope : Embedded
Entries : 1 (insert By Bgp)
Description : IPv4 BGP FlowSpec filter for the Base router
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry : 256
Origin : Inserted by BGP FlowSpec
Description : (Not Specified)
Log Id : n/a
Src. IP : 172.16.115.2/30
Src. Port : gt 1024
Dest. IP : 172.16.122.2/30
Dest. Port : eq 4191
Protocol : 6 Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Src Route Opt : Off
Sampling : Off Int. Sampling : On
IP-Option : 0/0 Multiple Option: Off
TCP-syn : Off TCP-ack : Off
Option-pres : Off
Egress PBR : Disabled
Primary Action : Drop
Ing. Matches : 0 pkts
Egr. Matches : 0 pkts
===============================================================================
*A:PE-5#
This embedded filter "fSpec-0" is created on all PEs, and no traffic is filtered when no IPv4 filter is configured referencing this embedded filter. For this reason, PE-5 has the following IPv4 filter configured and applied on the ingress direction of interface "int-PE-5-T1". The default action is forward; only traffic matching the embedded FlowSpec filter is dropped (rate limit 0 kbps).
configure
filter
ip-filter 1 create
default-action forward
embed-filter flowspec router "Base"
exit
info
exit
router
interface "int-PE-5-T1"
ingress
filter ip 1
exit
exit
The following command on PE-5 shows that IPv4 filter 1 contains embedded filter "fSpec-0".
*A:PE-5# show filter ip 1 embedded
===============================================================================
IP Filter embedding
===============================================================================
In Offset From Inserted Status
-------------------------------------------------------------------------------
1 0 fSpec-0 1/1 OK
===============================================================================
*A:PE-5#
Test center T1 generates TCP traffic with IP DA 172.16.122.2, IP SA 172.16.115.2, destination port 4191, and source port 1025. This traffic matches the FlowSpec criteria and will be discarded, because the FlowSpec action is to limit the rate to 0 kbps. The following monitor command on PE-5 shows that the traffic incoming at port 1/1/1 (interface int-PE-5-T1) is dropped instead of being forwarded to port 1/1/3 toward PE-3.
*A:PE-5# monitor port 1/1/1 1/1/3 rate interval 3 repeat 2
===============================================================================
Monitor statistics for Ports
===============================================================================
Input Output
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
---snip---
At time t = 3 sec (Mode: Rate)
-------------------------------------------------------------------------------
Port 1/1/1
-------------------------------------------------------------------------------
Octets 544683 27
Packets 4255 0
---snip---
Port 1/1/3
-------------------------------------------------------------------------------
Octets 30 30
Packets 0 0
---snip---
The following command shows the IPv4 filter 1 with the filter match criteria. In this example, 67612 packets have matched the filter at the ingress and are dropped, because the primary action in the embedded FlowSpec filter is drop.
*A:PE-5# show filter ip 1
===============================================================================
IP Filter
===============================================================================
Filter Id : 1 Applied : Yes
Scope : Template Def. Action : Forward
System filter : Unchained
Radius Ins Pt : n/a
CrCtl. Ins Pt : n/a
RadSh. Ins Pt : n/a
PccRl. Ins Pt : n/a
Entries : 0/0/0/1 (Fixed/Radius/Cc/Embedded)
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry : 256
Origin : Inserted by embedded filter fSpec-0 entry 256
Description : (Not Specified)
Log Id : n/a
Src. IP : 172.16.115.2/30
Src. Port : gt 1024
Dest. IP : 172.16.122.2/30
Dest. Port : eq 4191
Protocol : 6 Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Src Route Opt : Off
Sampling : Off Int. Sampling : On
IP-Option : 0/0 Multiple Option: Off
TCP-syn : Off TCP-ack : Off
Option-pres : Off
Egress PBR : Disabled
Primary Action : Drop
Ing. Matches : 67612 pkts (8654336 bytes)
Egr. Matches : 0 pkts
===============================================================================
*A:PE-5#
FlowSpec Route Validation
On all PEs, FlowSpec route validation on the destination prefix is enabled within the base router context, as follows.
configure router bgp flowspec validate-dest-prefix
iBGP FlowSpec Routes
The FlowSpec route server is in AS 64496, so the AS_PATH attribute will be empty when it sends a FlowSpec IPv4 route to iBGP peer PE-1. For this reason, the FlowSpec route is considered valid. The following FlowSpec IPv4 route is received on PE-1 and the status codes are valid, best, and used:
*A:PE-1# show router bgp routes flow-ipv4
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP FLOW IPV4 Routes
===============================================================================
Flag Network Nexthop LocalPref MED
As-Path
-------------------------------------------------------------------------------
u*>i -- 0.0.0.0 100 None
No As-Path
Community Action: rate-limit: 0 kbps
NLRI Subcomponents:
Dest Pref : 172.16.122.2/30
Src Pref : 172.16.115.2/30
Ip Proto : [ == 6 ]
Dest Port : [ == 4191 ]
Src Port : [ >1024 ]
-------------------------------------------------------------------------------
Routes : 1
PE-1 will forward this valid route to its iBGP peers PE-2 and PE-3, which will also consider this FlowSpec route as valid.
eBGP FlowSpec Routes
Valid eBGP FlowSpec Routes with Destination Prefix
The FlowSpec IPv4 route is not only forwarded to the iBGP peers in AS 64496, but also by PE-3 in AS 64496 to its eBGP peer PE-4 in AS 64501. The eBGP FlowSpec route has a destination prefix subcomponent and it is valid on PE-4 because its neighbor AS (64496) matches the neighbor AS of the unicast IPv4 route that is the best match of destination prefix 172.16.122.2/30. It also matches the neighbor AS of all unicast IPv4 routes that are longer matches of the destination prefix. Also, the best match unicast IPv4 route is a BGP route. The following shows the FlowSpec IPv4 route received by PE-4 as valid, best, and used:
*A:PE-4# show router bgp routes flow-ipv4
===============================================================================
BGP Router ID:192.0.2.4 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP FLOW IPV4 Routes
===============================================================================
Flag Network Nexthop LocalPref MED
As-Path
-------------------------------------------------------------------------------
u*>i -- 0.0.0.0 n/a None
64496
Community Action: rate-limit: 0 kbps
NLRI Subcomponents:
Dest Pref : 172.16.122.2/30
Src Pref : 172.16.115.2/30
Ip Proto : [ == 6 ]
Dest Port : [ == 4191 ]
Src Port : [ >1024 ]
-------------------------------------------------------------------------------
Routes : 1
The following route table entry shows that the best match unicast IPv4 route for destination prefix 172.16.122.0/30 is a BGP route:
*A:PE-4# show router route-table 172.16.122.0/30
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.16.122.0/30 Remote BGP 00h19m55s 170
192.168.34.1 0
-------------------------------------------------------------------------------
No. of Routes: 1
The BGP IPv4 route for destination prefix 172.16.122.0/30 is as follows. The AS_PATH attribute only contains AS 64496, which is the AS where the FlowSpec IPv4 route originated.
*A:PE-4# show router bgp routes 172.16.122.0/30
===============================================================================
BGP Router ID:192.0.2.4 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id Label
As-Path
-------------------------------------------------------------------------------
u*>i 172.16.122.0/30 None None
192.168.34.1 None -
64496
-------------------------------------------------------------------------------
Routes : 1
PE-4 will then forward the valid FlowSpec IPv4 route to its iBGP peer PE-5, which will accept the FlowSpec IPv4 route as valid. As a result, an embedded filter "fSpec-0" will be auto-created. When test center T1 sends a traffic flow to T2 with matching criteria, the traffic will be dropped at the ingress port of interface "int-PE-5-T1" on PE-5.
Invalid eBGP FlowSpec Routes with Destination Prefix
Topology with FlowSpec Route Server in AS 64500 shows an example topology with the FlowSpec route server in AS 64500 and the other nodes in the same ASs as before.
The BGP configuration on RR PE-1 has been modified with a different peer AS in group "FlowSpec", as follows. FlowSpec validation remains enabled on all routers, so that part of the configuration need not be modified.
configure
router
bgp
split-horizon
group "FlowSpec"
family ipv4 flow-ipv4
peer-as 64500
neighbor 192.168.11.2
exit
exit
group "iBGP"
family ipv4 flow-ipv4
cluster 192.0.2.1
peer-as 64496
advertise-inactive
neighbor 192.0.2.2
exit
neighbor 192.0.2.3
exit
exit
exit
The FlowSpec route server advertises FlowSpec IPv4 routes to eBGP peer PE-1. When the FlowSpec route server advertises the preceding FlowSpec IPv4 route with IP DA 172.16.122.2/30, the receiving eBGP peer PE-1 will consider the FlowSpec IPv4 route invalid, because the FlowSpec IPv4 route was received from AS 64500 whereas IP prefix 172.16.122.2/30 is within AS 64496 and an IS-IS route to that prefix is available in the route table. The status codes in the following command on PE-1 show that the received FlowSpec IPv4 route is considered invalid.
*A:PE-1# show router bgp routes flow-ipv4
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP FLOW IPV4 Routes
===============================================================================
Flag Network Nexthop LocalPref MED
As-Path
-------------------------------------------------------------------------------
i -- 0.0.0.0 n/a None
64500
Community Action: rate-limit: 0 kbps
NLRI Subcomponents:
Dest Pref : 172.16.122.2/30
Src Pref : 172.16.115.2/30
Ip Proto : [ == 6 ]
Dest Port : [ == 4191 ]
Src Port : [ >1024 ]
-------------------------------------------------------------------------------
Routes : 1
The following route table on PE-1 shows that an IS-IS route is available toward destination prefix 172.16.122.0/30.
*A:PE-1# show router route-table 172.16.122.2
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
172.16.122.0/30 Remote ISIS 04h41m53s 18
192.168.12.2 20
-------------------------------------------------------------------------------
No. of Routes: 1
Invalid routes are not advertised to the BGP peers, so the other nodes will not receive this route. The following BGP summary on PE-1 shows that one FlowSpec IPv4 route was received from the FlowSpec route server, but it remains inactive and no FlowSpec IPv4 route is sent to PE-2 or PE-3.
*A:PE-1# show router bgp summary all
===============================================================================
BGP Summary
===============================================================================
Legend : D - Dynamic Neighbor
===============================================================================
Neighbor
Description
ServiceId AS PktRcvd InQ Up/Down State|Rcv/Act/Sent (Addr Family)
PktSent OutQ
-------------------------------------------------------------------------------
192.0.2.2
Def. Instance 64496 113 0 00h54m56s 2/0/2 (IPv4)
115 0 0/0/0 (FlowIPv4)
192.0.2.3
Def. Instance 64496 113 0 00h54m56s 2/2/2 (IPv4)
115 0 0/0/0 (FlowIPv4)
192.168.11.2
Def. Instance 64500 9 0 00h00m36s 0/0/2 (IPv4)
8 0 1/0/0 (FlowIPv4)
-------------------------------------------------------------------------------
*A:PE-1#
The following command on PE-5 shows that IPv4 filter 1 does not have an embedded filter "fSpec-0".
*A:PE-5# show filter ip 1 embedded
===============================================================================
IP Filter embedding
===============================================================================
In Offset From Inserted Status
-------------------------------------------------------------------------------
1 0 fSpec-0 0/0 OK
===============================================================================
*A:PE-5#
On PE-5, IPv4 filter 1 does not have an embedded filter "fSpec-0" and the default action of IPv4 filter 1 is forward, so the traffic from IP SA 172.16.115.2 to IP DA 172.16.122.2 with destination port 4191 and source port 1025 will be forwarded to T2.
Valid eBGP FlowSpec Routes without Destination Prefix
The FlowSpec route server advertises a FlowSpec IPv4 route for IP traffic with source prefix 172.16.115.2/30, destination port 4191, and source port greater than 1024. No destination prefix subcomponent is included, so the FlowSpec IPv4 route will be considered valid. The following command on PE-1 shows that the FlowSpec IPv4 route without destination prefix subcomponent is valid, best, and used, while an almost identical FlowSpec IPv4 route with destination prefix subcomponent is invalid.
*A:PE-1# show router bgp routes flow-ipv4
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP FLOW IPV4 Routes
===============================================================================
Flag Network Nexthop LocalPref MED
As-Path
-------------------------------------------------------------------------------
u*>i -- 0.0.0.0 n/a None
64500
Community Action: rate-limit: 0 kbps
NLRI Subcomponents:
Src Pref : 172.16.115.2/30
Ip Proto : [ == 6 ]
Dest Port : [ == 4191 ]
Src Port : [ >1024 ]
i -- 0.0.0.0 n/a None
64500
Community Action: rate-limit: 0 kbps
NLRI Subcomponents:
Dest Pref : 172.16.122.2/30
Src Pref : 172.16.115.2/30
Ip Proto : [ == 6 ]
Dest Port : [ == 4191 ]
Src Port : [ >1024 ]
-------------------------------------------------------------------------------
Routes : 2
The valid FlowSpec IPv4 route without destination prefix subcomponent will be advertised to the other PEs. The FlowSpec IPv4 route is valid, best, and used on PE-5, as follows.
*A:PE-5# show router bgp routes flow-ipv4
===============================================================================
BGP Router ID:192.0.2.5 AS:64501 Local AS:64501
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP FLOW IPV4 Routes
===============================================================================
Flag Network Nexthop LocalPref MED
As-Path
-------------------------------------------------------------------------------
u*>i -- 0.0.0.0 100 None
64496 64500
Community Action: rate-limit: 0 kbps
NLRI Subcomponents:
Src Pref : 172.16.115.2/30
Ip Proto : [ == 6 ]
Dest Port : [ == 4191 ]
Src Port : [ >1024 ]
-------------------------------------------------------------------------------
Routes : 1
Matching traffic originating from T1 will be discarded on PE-5, as follows.
*A:PE-5# monitor port 1/1/1 1/1/2 1/1/3 rate interval 3 repeat 2
===============================================================================
Monitor statistics for Ports
===============================================================================
Input Output
-------------------------------------------------------------------------------
---snip---
-------------------------------------------------------------------------------
At time t = 3 sec (Mode: Rate)
-------------------------------------------------------------------------------
Port 1/1/1
-------------------------------------------------------------------------------
Octets 540459 27
Packets 4222 0
---snip---
Port 1/1/3
-------------------------------------------------------------------------------
Octets 0 0
Packets 0 0
---snip---
*A:PE-5# show filter ip 1
===============================================================================
IP Filter
===============================================================================
Filter Id : 1 Applied : Yes
Scope : Template Def. Action : Forward
System filter : Unchained
Radius Ins Pt : n/a
CrCtl. Ins Pt : n/a
RadSh. Ins Pt : n/a
PccRl. Ins Pt : n/a
Entries : 0/0/0/1 (Fixed/Radius/Cc/Embedded)
Description : (Not Specified)
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry : 256
Origin : Inserted by embedded filter fSpec-0 entry 256
Description : (Not Specified)
Log Id : n/a
Src. IP : 172.16.115.2/30
Src. Port : gt 1024
Dest. IP : 0.0.0.0/0
Dest. Port : eq 4191
Protocol : 6 Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Src Route Opt : Off
Sampling : Off Int. Sampling : On
IP-Option : 0/0 Multiple Option: Off
TCP-syn : Off TCP-ack : Off
Option-pres : Off
Egress PBR : Disabled
Primary Action : Drop
Ing. Matches : 321617 pkts (41166976 bytes)
Egr. Matches : 0 pkts
===============================================================================
*A:PE-5#
Conclusion
Flow specifications received from iBGP or eBGP peers are by default accepted without validation. Flowspec routes with destination prefix subcomponent can be validated against BGP unicast routing.